Thevilledev

**Name of the Vulnerable Software and Affected Versions** Kyverno versions prior to 1.17.2 Kyverno versions prior to 1.16.4 **Description** An unchecked type assertion in the `forEach` mutation handler allows a user with permissions to create a `Policy` or `ClusterPolicy` to cause the cluster-wide background controller to enter a persistent CrashLoopBackOff, which is a state where a container repeatedly crashes and restarts. This issue also causes the admission controller to drop connections and block all matching resource operations. The crash loop continues until the policy is deleted. This issue is limited to the legacy engine, while CEL-based policies are not affected. **Recommendations** Update to version 1.17.2 Update to version 1.16.4

**Name of the Vulnerable Software and Affected Versions** Argo Workflows versions 3.6.5 through 3.6.19 Argo Workflows versions 3.7.0-rc1 through 3.7.12 Argo Workflows versions 4.0.0-rc1 through 4.0.4 **Description** An unchecked array index in the pod informer's `podGCFromPod()` function causes a controller-wide panic when a workflow pod contains a malformed `workflows.argoproj.io/pod-gc-strategy` annotation. Because the panic occurs inside an informer goroutine outside the controller's recover scope, it crashes the entire controller process. The poisoned pod persists across restarts, leading to a crash loop that halts all workflow processing until the pod is manually deleted. This allows any user with permission to submit workflows to cause a denial-of-service against all workflows in the cluster. **Recommendations** Update Argo Workflows versions 3.6.5 through 3.6.19 to version 3.6.20 or newer. Update Argo Workflows versions 3.7.0-rc1 through 3.7.12 to version 3.7.14. Update Argo Workflows versions 4.0.0-rc1 through 4.0.4 to version 4.0.5.

**Name of the Vulnerable Software and Affected Versions** Argo Workflows versions 2.9.0 through 4.0.1 Argo Workflows version 3.7.11 **Description** Argo Workflows is a container-native workflow engine for Kubernetes. A user who can submit Workflows can bypass security settings defined in a `WorkflowTemplate` by including a `podSpecPatch` field in their Workflow submission. This bypass occurs even when the controller is configured with `templateReferencing: Strict`, which is intended to restrict users to admin-approved templates. The `podSpecPatch` field takes precedence during spec merging and is applied to the pod spec without security validation. Specifically, the merge priority order is Workflow Spec > WorkflowTemplate Spec > WorkflowDefault Spec. The `ApplyPodSpecPatch()` function only validates the JSON syntax of the patch, without checking for dangerous security settings. This allows attackers to override security settings like running containers as root, enabling privileged mode, mounting the host filesystem, and adding all Linux capabilities. Exploitation can grant a user full root access to the underlying Kubernetes node. **Recommendations** Argo Workflows versions prior to 4.0.2 must be updated. Argo Workflows version 3.7.11 must be installed.

**Name of the Vulnerable Software and Affected Versions** Kubewarden versions prior to 1.33.0 **Description** Kubewarden is a policy engine for Kubernetes. An attacker with privileged "AdmissionPolicy" create permissions could leverage three deprecated host-callback APIs: `kubernetes/ingresses`, `kubernetes/namespaces`, and `kubernetes/services`. By crafting a policy that utilizes these APIs, an attacker gains read access to Ingresses, Namespaces, and Services resources. This access is read-only, with no write capabilities and no access to sensitive data like Secrets or ConfigMaps. The attacker could potentially reveal cluster internal topology by reading Service information, and access namespace names and labels, and Ingress hostnames and routing rules. **Recommendations** Update the policy-server image used by PolicyServers to version 1.33.0. Alternatively, temporarily reduce the permissions of users to prevent them from creating or updating namespaced AdmissionPolicies or AdmissionPolicyGroups.

**Name of the Vulnerable Software and Affected Versions** opa-envoy-plugun versions prior to 1.13.2-envoy-2 **Description** The `opa-envoy-plugun` plugin has an issue in how the `input.parsed path` field is constructed. HTTP request paths are treated as full URIs during parsing, leading to the interpretation of leading path segments prefixed with double slashes (`//`) as authority components, and subsequently dropping them from the parsed path. This discrepancy between the path evaluated by the authorization filter and the path served by the backend server can allow attackers to bypass access controls by crafting malicious requests. The issue arises when authorization policies rely on `input.parsed path` for path-based decisions, and backend servers apply lenient path normalization. The affected request pattern examples demonstrate how the `input.parsed path` field can differ from the actual request path, potentially leading to unauthorized access. The `input.attributes.request.http.path` field contains the unprocessed, raw request path. **Recommendations** Versions prior to 1.13.2-envoy-2: Upgrade to version 1.13.2-envoy-2 or later. Versions prior to 1.13.2-envoy-2: Enable the `merge slashes` Envoy configuration option. Versions prior to 1.13.2-envoy-2: Use `input.attributes.request.http.path` instead of `input.parsed path` in policies.

**Name of the Vulnerable Software and Affected Versions** Kyverno versions prior to 1.16.3 Kyverno versions prior to 1.15.3 **Description** Kyverno is a policy engine for cloud native platform engineering teams. Affected versions experience unbounded memory consumption within the policy engine. Users with policy creation privileges can trigger a denial of service by creating policies that exponentially amplify string data using context variables. This issue is similar to a 'Billion Laughs' style attack, where an attacker can cause the system to crash by exhausting available memory. **Recommendations** Update to Kyverno version 1.16.3 or later. Update to Kyverno version 1.15.3 or later.

**Name of the Vulnerable Software and Affected Versions** Kyverno versions prior to 1.16.3 and 1.15.3 **Description** Kyverno, a policy engine for cloud native platform engineering teams, contains a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount without enforcing namespace limitations. This allows any authenticated user with permission to create a namespaced Policy to perform Kubernetes API requests using Kyverno’s admission controller identity, potentially targeting any API path allowed by that ServiceAccount’s RBAC. This breaks namespace isolation, enabling cross-namespace reads of resources like ConfigMaps and Secrets, and allows cluster-scoped or cross-namespace writes, such as creating ClusterPolicies, by controlling the `urlPath` through context variable substitution. The vulnerability exists in how Kyverno handles `apiCall` context entries, specifically the variable substitution on the `URLPath` field without proper sanitization or authorization validation. An attacker can construct any valid API path to access and mutate resources they shouldn't have access to. This can lead to data exfiltration, disruption of the entire cluster by creating malicious `ClusterPolicy` resources, and potential privilege escalation. The vulnerability affects both data retrieval and the ability to create cluster-level resources. **Recommendations** Update Kyverno to version 1.16.3 or 1.15.3.

**Name of the Vulnerable Software and Affected Versions** Argo CD versions 2.1.0 through 2.14.19 Argo CD versions 3.0.0-rc1 through 3.0.18 Argo CD versions 3.1.0-rc1 through 3.1.7 Argo CD version 3.2.0-rc1 **Description** Argo CD, a declarative GitOps continuous delivery tool for Kubernetes, is susceptible to a race condition within its repository credentials handler. This condition arises when concurrent operations are performed on the same repository URL, potentially causing the Argo CD server to panic and crash. The issue resides in repository-related handlers within the `util/db/repository secrets.go` file, specifically functions like `secretToRepoCred`. The race condition stems from concurrent map access without proper mutex protection, triggered by repository credential operations (create, update, or delete) alongside Kubernetes informer re-syncs and background watchers. Exploitation requires a valid API token with `repositories` resource permissions, allowing attackers to repeatedly trigger the condition and maintain a denial-of-service state, disrupting GitOps operations. **Recommendations** Update to Argo CD version 2.14.20 or later. Update to Argo CD version 3.0.19 or later. Update to Argo CD version 3.1.8 or later. Update to Argo CD version 3.2.0-rc2 or later.

**Name of the Vulnerable Software and Affected Versions:** CoreDNS versions 1.2.0 through 1.12.3 **Description:** CoreDNS, a DNS server that chains plugins, contains a TTL confusion vulnerability within the etcd plugin. This flaw arises from the incorrect use of lease IDs as TTL values, potentially enabling DNS cache pinning attacks. Specifically, the `TTL()` function in `plugin/etcd/etcd.go` casts etcd lease IDs (64-bit integers) to uint32, resulting in excessively large TTLs when the lease ID is large. This allows attackers to pin DNS cache entries for extended periods, leading to a denial of service for DNS resolution of affected services. An attacker with etcd write access can exploit this by writing or updating a key with any lease, causing downstream resolvers and clients to cache answers for years. **Recommendations:** CoreDNS versions prior to 1.12.4 are affected. Update to CoreDNS version 1.12.4 or later to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** Kyverno versions 1.14.1 and below **Description** Kyverno is susceptible to a Denial of Service (DoS) vulnerability stemming from improper handling of JMESPath variable substitutions. Attackers possessing permissions to create or update Kyverno policies can exploit this by crafting expressions utilizing the `{{@}}` variable in conjunction with a pipe and an invalid JMESPath function (e.g., `{{@ | non existent function }}`). This results in a `nil` value being substituted into the policy structure. Subsequent processing by the `getValueAsStringMap` function, which expects string values, triggers a panic due to a type assertion failure. This can crash Kyverno worker threads within the admission controller and cause continuous crashes of the reports controller pod, potentially leading to service degradation or unavailability. **Recommendations** Kyverno versions prior to 1.14.2 are affected. Update to version 1.14.2 or later to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** CoreDNS versions prior to 1.12.2 CoreDNS versions prior to 1.21.2 **Description** A Denial of Service (DoS) issue exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments. The patch introduces two key mitigation mechanisms: `max streams`, which caps the number of concurrent QUIC streams per connection with a default value of `256`; and `worker pool size`, which introduces a server-wide, bounded worker pool to process incoming streams with a default value of `1024`. **Recommendations** For versions prior to 1.12.2, update to version 1.12.2 or later. For versions prior to 1.21.2, update to version 1.21.2 or later. As a temporary workaround, consider disabling QUIC support by removing or commenting out the `quic://` block in the Corefile. Use container runtime resource limits to detect and isolate excessive memory usage. Monitor QUIC connection patterns and alert on anomalies.

**Name of the Vulnerable Software and Affected Versions** cpp-httplib versions prior to 0.20.1 **Description** cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Versions prior to 0.20.1 do not enforce configured size limits on incoming request bodies when `Transfer-Encoding: chunked` is used or when no `Content-Length` header is provided. This allows a remote attacker to send a chunked request without the terminating zero-length chunk, leading to uncontrolled memory allocation. This can result in exhaustion of system memory and a server crash or unresponsiveness. **Recommendations** Upgrade to cpp-httplib version 0.20.1 or later. As a temporary workaround, deploy a reverse proxy (e.g., Nginx, HAProxy) and configure it to enforce maximum request body size limits.

**Name of the Vulnerable Software and Affected Versions** Argo Events versions prior to 1.9.6 **Description** Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create or modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. The EventSource and Sensor CRs allow the corresponding orchestrated pod to be customized with spec.template and spec.template.container, thus any specification under container such as command, args, securityContext, volumeMount can be specified and applied to the EventSource or Sensor pod. With these, a user would be able to gain privileged access to the cluster host if they specified the EventSource/Sensor CR with some particular properties under template. **Recommendations** For versions prior to 1.9.6, update to version 1.9.6 to fix the vulnerability. As a temporary workaround, consider restricting access to the EventSource and Sensor custom resources to prevent users from creating or modifying them with privileged properties. Additionally, restrict the use of spec.template and spec.template.container in EventSource and Sensor CRs to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Beego versions prior to 2.3.6 **Description** Beego is an open-source web framework for the Go programming language. A Cross-Site Scripting (XSS) vulnerability exists in the `RenderForm()` function due to improper HTML escaping of user-controlled data. This allows attackers to inject malicious JavaScript code that executes in victims' browsers, potentially leading to session hijacking, credential theft, or account takeover. The vulnerability affects any application using Beego's `RenderForm()` function with user-provided data. The `RenderForm()` function generates an entire form markup and does not automatically escape attributes, creating a risk for injection attacks. The vulnerability is located in the `renderFormField()` function in `templatefunc.go` (around lines 316-356) where user-provided values are directly injected into HTML without proper escaping. **Recommendations** Update Beego to version 2.3.6 or later.